[ale] [EXTERNAL] Re: access.conf syntax on CentOS 8
Beddingfield, Allen
allen at ua.edu
Wed Jun 10 09:44:50 EDT 2020
Thanks,
Unfortunately, I don't have a choice about the directory I have to connect to. This has to work against the enterprise LDAP directory (which I don't administer). Also, CentOS/RHEL systems are rare in our environment (we are almost exclusively a SUSE shop), and the last time I checked, SLES wasn't supported - at least officially. The only tool I really have to make my life easier is config management...
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu
________________________________________
From: Jim Kinney <jim.kinney at gmail.com>
Sent: Wednesday, June 10, 2020 6:13 AM
To: Beddingfield, Allen; Atlanta Linux Enthusiasts; Beddingfield, Allen via Ale
Subject: [EXTERNAL] Re: [ale] access.conf syntax on CentOS 8
Make your life much easier. Use FreeIPA. It takes all the pieces and puts them together in a cohesive manner. It provides a web gui to abstract across multiple levels of complicated security protocols.
With this toolchain you can allow local root login, specific groups can login with LDAP backed credentials. You can allow specific users or groups tightly controlled sudu capability from specific commands on specific machines to full sudu across groups of machines.
On June 9, 2020 11:48:44 PM EDT, "Beddingfield, Allen via Ale" <ale at ale.org> wrote:
I have never really put much thought into my LDAP client configuration. I finally, begrudgingly switched to using SSSD around CentOS 7/SLES 12. I've been just putting sssd.conf on the system, and on CentOS manually pushing some files in /etc/pam.d and an nsswitch file with config management software (on SLES I use the "pam-config" utility).
My nsswitch config was using "compat" so that I tacked the netgroups onto the end of passwd as always.
Well, I've noticed that with CentOS 8, I can just drop sssd.conf onto the server, restart sssd and do "authselect select sssd with-mkhomedir" and everything works - except for netgroups on the end of passwd. They are ignored, and ALL LDAP users can log in.
I know I can create a custom authselect profile to put compat in nsswitch, but I thought it would be a good opportunity to "do it the modern way", so I started looking into access.conf.
I see how to do all the examples in the man page and the config file, but they don't match my exact need, and I'm not sure if the combination I need is possible.
Here is what I want to do:
Allow root to log in from anywhere
Allow all LOCAL users to log in from anywhere
Allow members of LDAP Netgroup "linuxadmin" to log in from anywhere.
Deny all other LDAP members that the bind user can see.
The examples I'm seeing are of explicitly listing root, local users by name, and the netgroup. Is there some wildcard to use for "all local users"? We have a lot of systems where the end users are logging in with local credentials, and we use LDAP for admin users - so there is no consistent list of local accounts.
In the past, I've just put "+ at linuxadmin::::::" at the end of /etc/passwd and accomplished this.
Obviously if I don't either configure compat in nsswitch or access.conf, any user the LDAP bind account can see will be able to log in, and that is NOT what I want to happen.
Any thoughts?
Thanks.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu
________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
"no government by experts in which the masses do not have the chance to inform the experts as to their needs can be anything but an oligarchy managed in the interests of the few.” - John Dewey
More information about the Ale
mailing list